The WordPress Custom Contact Form did not display the “Thank you” text after submitting my contact form, nor it was redirecting when I changed it to.

I saw that php was returning correct JSON code:{"success":true,"action_type":"redirect","completion_redirect_url":"...

After enabling Firebug debugging in Firefox, I came across this interesting message:

The thing with ajax/jquery scripts is that they are rendering html code in a frame or iframe tag. This can be a security hole in some form because it can allow a hacker to inject a script that will execute remote code.

This can be controlled with the X-Frame-Options http header that instructs the browser to either render/not render/render from the same origin domain code into frame or iframe tags.

In my Nginx configuration it was set to deny:add_header X-Frame-Options Deny; And changed it to:add_header X-Frame-Options sameorigin;